Security

how to bind to AD using MSAs

awurster
Contributor

im having a bit of trouble binding to our domain using LDAP. we have used managed service accounts (MSAs) according to the splunk deployment guide, however the LDAP authentication doesn't appear to work using that same account. i was trying to bind with the MSA's DN, but that doesnt appear to do it. however, binding with my admin account ("andrew-admin") does work.

so my question is:
do we have to have a separate account just for binding from the search head and authenticating end-users? or can we use the MSA? and if so, what parameters does a typical AD server use?

here's what i see:

01-18-2013 11:13:40.456 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users
01-18-2013 11:14:01.878 +1100 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="andrew-admin" from strategy="my.domain"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Initializing with LDAPURL="ldaps://ldap-server:636"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting bind as DN="CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Bind successful
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting to search subtree at DN="DC=my,DC=domain" using filter="(&(samaccountname=andrew-admin)(objectclass=person)(cn=*))"
01-18-2013 11:14:01.893 +1100 WARN ScopedLDAPConnection - strategy="my.domain" LDAP Server returned warning in search for DN="DC=my,DC=domain". reason="Operations error"
01-18-2013 11:14:01.893 +1100 ERROR AuthenticationManagerLDAP - Could not find user="andrew-admin" with strategy="my.domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Successfully performed unbind
01-18-2013 11:14:01.893 +1100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="andrew-admin" on any configured servers
01-18-2013 11:14:10.753 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users

and here's what i've got configured in authentication.conf:

[my.domain]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain
#bindDNpassword =
charset = utf8
groupBaseDN = DC=my,DC=domain
groupBaseFilter = (objectClass=*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap-server
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 10000
timelimit = 15
userBaseDN = DC=my,DC=domain
userBaseFilter = (objectclass=person)
userNameAttribute = samaccountname

0 Karma
1 Solution

awurster
Contributor

i think that the answer must be that:

  1. Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
  2. binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.

View solution in original post

0 Karma

awurster
Contributor

i think that the answer must be that:

  1. Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
  2. binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.
0 Karma

treinke
Builder

The two thing I can see that is different from mine is your userBaseDN and groupBaseDN and then the commented out password. I use the same account in my environment. Here is an example of what I have in my authentication.conf file.

userBaseDN = OU=IT,DC=my,DC=domain;CN=Users,DC=my,DC=domain;OU=Sales,DC=my,DC=domain
groupBaseDN = OU=Security Groups,DC=my,DC=domain

I list the OUs and not just the full domain. A couple things to try:

  1. List the OU/CNs in groupBaseDN/userBaseDN

  2. Take off filtering (groupBaseFilter / userBaseFilter)

  3. Uncomment the bindDNpassword and enter the service account's password

There are no answer without questions
0 Karma

awurster
Contributor

thank you anthony. i think you may have a point about the password for the bind account. however, it's a "managed service account" - a special type of 2k8 not a regular user object delegated for service duty.

see the following article please on those:
http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx#BKMK_Passwords

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...